COVID-19 has had a dramatic impact on enterprise IT. For cyberattackers, that means opportunity.
As organizations adapt to the ongoing pandemic, changes in the technology they use, how they use it, and how they secure it (or, don’t secure it) have created a perfect storm of opportunity for adversaries to strike. The cybersecurity decisions enterprises make now will have major business ramifications, both positively and negatively, for months and years to come.
Here we'll review some of the top areas of increased enterprise cybersecurity risk related to COVID-19, and what organizations can do to reduce their exposure to potential cyberattacks.
Since the pandemic began, adversaries have been using fraudulent email and SMS messaging to trick victims into surrendering sensitive information. Researchers are constantly uncovering new messaging campaigns that use COVID-19 or related themes to steal users' credentials, get inside target organizations, and ultimately pilfer data or money.
Enterprises should clearly articulate to staff, partners, and clients/customers how they will communicate information related to the pandemic, ideally including the means (emails, intranet, webinars, etc.), frequency, and hallmarks of legitimate communications. All should be reminded of the ways in which adversaries are trying to exploit interest in COVID-19 information, and be educated about techniques attackers use as they evolve. Organizations should also discern how their messaging security vendors are protecting them against pandemic-related social engineering attacks, and enable additional filters or other protections if warranted.
Working from home
Now that so many more employees are working remotely, there are a lot of new targets for attackers. Home networks aren't defended nearly as well as enterprise environments. Employees often use their own devices for work, which in turn can introduce malware and other threats into the corporate environment. To enable remote access to legacy systems, some organizations have reduced security measures. Critical systems often fail to support multifactor authentication, and physical device theft is an increased risk, especially for employees who may have never worked remotely before.
Encourage employees to check with their ISPs to ensure their home internet gateways, routers, and other key devices have the latest software updates; consider compiling a resource guide with easy-to-follow instructions. Every remote employee should use a VPN, and its use should be mandatory to access sensitive systems and data. And any access should be granted on an as-needed basis, audited regularly, and supported with multifactor authentication wherever possible.
Many organizations have realized that their IT infrastructures were not prepared to support suddenly having nearly 100% of their employees working remotely. This in turn has accelerated digital transformation activities, particularly around moving data and workloads to the could. Unfortunately, enterprises often fail to realize that responsibility for cloud security mostly falls on them, and in many cases requires new or different techniques. New research from Verizon's 2020 Data Breach Investigations Report shows misconfiguration-related breaches, largely stemming from improperly secured cloud data storage, nearly doubled in 2019; the pandemic is only likely to worsen this trend.
Any digital transformation effort should consider cybersecurity from the beginning, both from a technology and process standpoint. The cybersecurity team should ensure product stakeholders understand cybersecurity requirements, that controls are validated prior to deployment, and that security is tested on an ongoing basis. From a technology standpoint, enterprises should consider cloud computing products from segments including cloud workload protection (CWPP), cloud application security brokers (CASB), cloud security and posture management (CSPM), and other cloud-delivered offerings, depending on specific use cases.
To support all this, many organizations have had to reduce their focus on cybersecurity. In fact, new survey results from cybersecurity training and certification consortium (ISC)2 found that nearly half of cybersecurity workers have recently been removed from some or all of their typical cybersecurity duties to support other IT-related tasks, such as equipping a newly mobile workforce. This means not only are there more opportunities for adversaries, but there are also fewer cybersecurity pros actively trying to find and stop those attacks. It is a worst-case scenario in the making.
Adversaries know most organizations are more vulnerable than they were a few months ago. In turn, enterprises should not reassign cybersecurity staff unless it is absolutely necessary. When such a decision is made, it should be for a short, predetermined duration, and made based on defendable, risk-based criteria. Once things begin to return to normal, organizations should also strongly consider engaging with a third-party cybersecurity consulting firm to conduct a vulnerability assessment. This will help to ensure post-pandemic cybersecurity defenses and processes are sound.
The unfortunate reality is that some organizations will be breached, in part due to IT decisions (or indecision) during this period. Sadly, for some videoconferencing providers and other businesses that have seen a sharp increase during the pandemic, this has already proven to be true.
But it's not too late to respond. By using the information above as a starting point to assess an enterprise’s pandemic-related security posture, it is possible to thwart adversaries hoping to turn your crisis into their opportunity.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.